Legal claims defining the scope of protection, as filed with the USPTO.
1. A method for protecting a first device coupled to an input/output (I/O) bus from being accessed in an unauthorized manner by a second device coupled to the I/O bus, the method comprising: transmitting to the first device a request to perform a peer-to-peer operation across the I/O bus without intervention from an operating system; determining if said request is authentic as being dispatched from the second device; determining if the second device is authorized to request the first device to perform said peer-to-peer operation; and performing said peer-to-peer operation by said first device, without intervention from the operating system, if said request is authentic from the second device and if the second device is authorized to request said peer-to-peer operation.
2. The method of claim 1, wherein the second device belongs to one of a set of I/O device classes, the method further comprising: receiving a rule set by the first device which identifies a set of peer-to-peer operations which the second device is authorized to request the first device to perform based upon the I/O device class of the second device; and determining if the second device is authorized to request the first device to perform said peer-to-peer operation and determining if the second device is authorized to request said first device to perform said peer-to-peer operation based upon said rule set and said I/O device class of the second device.
3. The method of claim 2, wherein at least a portion of said rule set is received via user input.
4. The method of claim 2, wherein at least a portion of said rule set is based upon a predetermined rule set.
5. The method of claim 1, further comprising: encrypting by the second device said request prior to said second device transmitting to the first device; and decrypting by the first device the encrypted said request prior to performing said peer-to-peer operation.
6. The method of claim 5, wherein said encrypting is performed using a private key and said decrypting is performed using a public key.
7. The method of claim 5, wherein said encrypting is authorized based on a digital signature comprising a hash which is encrypted by an originating said second device with a private key of the originating second device and then validated by a receiving said second device by recalculating the hash and then decrypting the transmitted hash and comparing the two values.
8. The method of claim 7, wherein the two values comprise the recalculated said hash and the decrypted hash.
9. The method of claim 1, wherein said peer-to-peer operation is a read operation, and wherein said performing said peer-to-peer operation comprises: retrieving by the first device data specified in said peer-to-peer operation; and transmitting said data from the first device to the second device.
10. The method of claim 9, further comprising: the second device determining if said data is authentic as transmitted by the first device; the second device storing said data only if said data is authentic.
11. The method of claim 10, further comprising: the first device encrypting the data prior to said transmitting said data to the second device; the second device decrypting said data prior to said storing said data.
12. The method of claim 1, wherein said peer-to-peer operation is a write operation, wherein data is included in said request, and wherein said performing said peer-to-peer operation comprises: the first device storing said data as specified in said request only if said data is authentically transmitted by the second device.
13. The method of claim 12, further comprising: the first device encrypting a reply message including a status of the requested peer-to-peer operation and transmitting said reply message to the second device after the storing of said data; the second device receiving said reply message and determining if said reply message is authentic from the first device.
14. The method of claim 1, wherein said determining if said request is authentic comprises verifying an authenticator appended to said request.
15. The method of claim 14, wherein said authenticator includes a digital signature.
16. The method of claim 15, further comprising the second device encrypting said request prior to said second device transmitting on the I/O bus said encrypted request, wherein said encrypted request is said authenticator.
17. The method of claim 14, wherein said authenticator includes a hash value.
18. The method of claim 1, further comprising: the second device receiving a packet from a first computer system coupled to the second device, wherein said packet includes said request, wherein the first computer system is dissimilar from a second computer system in which the first and second devices are embodied; the second device forwarding said request to the first device in response to said receiving said packet from the first computer system and prior to said second device transmitting on the I/O bus to the first device said request.
19. The method of claim 18, further comprising: the second device determining if said packet is authentic from said first computer system; and the second device forwarding said request to the first device only if said packet is authentic from said first computer system.
20. The method of claim 19, further comprising: the second device determining if the first computer system is authorized to request said peer-to-peer operation; and the second device forwarding said request to the first device only if the first computer system is authorized to request said peer-to-peer operation.
21. The method of claim 20, wherein said packet includes identification information associated with the first computer system, the method further comprising: the second device receiving a rule set, wherein said rule set identifies a set of peer-to-peer operations which the first computer system is authorized to request the first device to perform based upon the identification information of the first computer system; and wherein said second device determining if the first computer system is authorized to request said peer-to-peer operation comprises the second device determining if the first computer system is authorized to request said peer-to-peer operation based upon said rule set and said first computer system identification information.
22. A computer system, comprising: an input/output (I/O) bus; first and second devices coupled to the I/O bus, wherein the second device is operable to transmit on the I/O bus to the first device a message including a request to perform a peer-to-peer I/O operation without intervention from an operating system; wherein the first device is operable to receive said message and determine if said message is authentically derived from the second device; wherein the first device is operable to determine if the second device is authorized to request the first device to perform said peer-to-peer I/O operation; and wherein the first device performs said peer-to-peer I/O operation, without intervention from the operating system, only if said peer-to-peer I/O operation request is authentically derived from the second device and if the second device is authorized to request said peer-to-peer I/O operation.
23. The computer system of claim 22, wherein the second device belongs to one of a set of I/O device classes, wherein the first device is operable to receive a rule set, wherein said rule set identifies a set of peer-to-peer I/O operations which the second device is authorized to request the first device to perform based upon the I/O device class of the second device, wherein said first device determines if the second device is authorized to request said first device to perform said peer-to-peer I/O operation based upon said rule set and said I/O device class of the second device.
24. The computer system of claim 22, further comprising: a system BIOS and a processor operable to execute said system BIOS, wherein said system BIOS is operable to provide said rule set to said first device; and wherein the first device comprises a memory for storing said rule set received from said system BIOS.
25. The system of claim 22, wherein the second device is operable to encrypt said message prior to said second device transmitting to the first device said message and the first device is operable to decrypt said message prior to performing said peer-to-peer I/O operation.
26. The computer system of claim 25, wherein said second device memory is operable to store a key received from said system BIOS, wherein said second device uses said key to decrypt said message.
27. The computer system of claim 22, wherein the second device is operable to receive a packet from a remote computer system coupled to the second device, wherein said packet includes said request to perform said peer-to-peer I/O operation, wherein the second device is operable to create said message including said request to perform said peer-to-peer I/O operation in response to receiving said packet from the remote computer system.
28. The computer system of claim 27, wherein the second device is operable to determine if said packet is authentically derived from the remote computer system, wherein the second device transmits said message to the first device only if said packet is authentically derived from the remote computer system.
29. The computer system of claim 27, wherein the second device is operable to determine if the remote computer system is authorized to request said peer-to-peer I/O operation and the second device creates said message including said request to perform said peer-to-peer I/O operation only if the remote computer system is authorized to request said peer-to-peer I/O operation.
30. The computer system of claim 22, wherein said I/O bus is a bus selected from the list comprising: Peripheral Component Interconnect (PCI) bus, Fibre Channel bus, IEEE 1394 bus, Universal Serial Bus (USB).
31. An I/O device for coupling to an I/O bus, comprising: a processor for performing security services; a memory coupled to the processor for storing a rule set and a key; wherein the I/O device is operable to receive on the I/O bus from a peer I/O device a message including a request to perform a peer-to-peer I/O operation without intervention from an operating system; wherein the I/O device is operable to receive said message and determine if said message is authentically from the peer I/O device using said key stored in said memory; wherein the I/O device is operable to determine if the peer I/O device is authorized to request the I/O device to perform said peer-to-peer I/O operation based upon said rule set stored in said memory; and wherein the first device performs said peer-to-peer I/O operation, without intervention from the operating system, only if said peer-to-peer I/O operation request is authentically from the peer I/O device based upon said key and if the peer I/O device is authorized to request said peer-to-peer I/O operation based upon said rule set.
32. The I/O device of claim 31, wherein the peer I/O device belongs to one of a set of I/O device classes, wherein said rule set identifies a set of peer-to-peer I/O operations which the peer I/O device is authorized to request the I/O device to perform based upon the I/O device class of the peer I/O device, wherein said I/O device determines if said peer I/O device is authorized to request said I/O device to perform said peer-to-peer I/O operation based upon said rule set and said I/O device class of said peer I/O device.
33. The I/O device of claim 31, wherein the message is an encrypted message, wherein the I/O device is operable to decrypt said message using said key.
34. An I/O device for coupling to an I/O bus, comprising: a processor for performing security services; a memory coupled to the processor for storing a rule set and a key; wherein the I/O device is operable to receive from a remote computer a packet including a request for a peer I/O device also coupled to the I/O bus to perform an I/O operation without intervention from an operating system; wherein the I/O device is operable to determine if said packet is authentic from the remote computer using said key stored in said memory; wherein the I/O device is operable to determine if the remote computer is authorized to request the peer I/O device to perform said I/O operation based upon said rule set stored in said memory; and wherein the I/O device forwards said I/O operation request to said peer I/O device only if said packet is authentically from the remote computer based upon said key and if the remote computer is authorized to request said I/O operation based upon said rule set.
Complete technical specification and implementation details from the patent document.
While the invention is susceptible to various modifications and alternative
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
Unknown
May 9, 2000
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.